1437 見つかった項目
脆弱性

AWS Ansible Misconfiguration: Insecure S3 Bucket Storage

Abstract
Amazon S3 バケットは、保存時に暗号化を有効にせずに作成されます。
Explanation
Amazon S3 バケットは、サーバー側の暗号化なしで作成されます。暗号化は、適切な資格情報を持たない人がデータを読み取れないようにすることで、データ侵害を軽減します。保管時の暗号化は、GDPR、HIPAA、PCI など、一部の業界および政府のコンプライアンス要件を満たすのに役立ちます。
References
[1] GDPR Article 32 European Parliament and Council of the European Union
[2] Manage S3 buckets in AWS Ansible project contributors
[3] Amazon Simple Storage Service User Guide Amazon Web Services, Inc.
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 2.1.1
[5] Standards Mapping - Common Weakness Enumeration CWE ID 311
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[7] Standards Mapping - FIPS200 MP
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[13] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13), Application Misconfiguration (WASC-15)
desc.structural.yaml.aws_cloudformation_misconfiguration_insecure_s3_bucket_storage.base

AWS Ansible Misconfiguration: Insufficient API Gateway Logging

Abstract
テンプレートは、監査ログが不十分なサービスを定義します。
Explanation
監査記録がないと、セキュリティ関連のインシデントを検出して対応する機能が制限され、フォレンジック調査が妨げられます。

ログ機能を損なう構成設定には次のものが含まれますが、これらに限定されません。
- 監査ログを意図的に無効にする
- 特定のユーザー、グループ、またはプロセスのアクションをログから除外する
- ログの整合性を不適切に保護する
- オプションの監査ログを有効にしない
- ログのサンプリング レートを下げる
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - Common Weakness Enumeration CWE ID 778
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-000172
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AU-10 Non-Repudiation, AU-12 Audit Record Generation
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[10] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[17] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Ansible Misconfiguration: Insufficient CloudFront Logging

Abstract
テンプレートは、監査ログが不十分なサービスを定義します。
Explanation
監査記録がないと、セキュリティ関連のインシデントを検出して対応する機能が制限され、フォレンジック調査が妨げられます。

ログ機能を損なう構成設定には次のものが含まれますが、これらに限定されません。
- 監査ログを意図的に無効にする
- 特定のユーザー、グループ、またはプロセスのアクションをログから除外する
- ログの整合性を不適切に保護する
- オプションの監査ログを有効にしない
- ログのサンプリング レートを下げる
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - Common Weakness Enumeration CWE ID 778
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-000172
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AU-10 Non-Repudiation, AU-12 Audit Record Generation
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[10] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[17] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Ansible Misconfiguration: Insufficient CloudTrail Logging

Abstract
Ansible タスクは、ログ機能を無効にした AWS CloudTrail を定義します。
Explanation
デフォルトでは、CloudTrail はイベントを記録してログ ファイルを配信しますが、ログ機能は意図的に無効になっています。そのため、悪意のある動作が検出されなくなり、違反が発生した場合のフォレンジック分析が妨げられる可能性があります。

例 1: 次の Ansible タスクは、ログ機能を無効にした CloudTrail をセットアップします。これは、enable_loggingfalse に設定されているためです。

- name: create a single region cloudtrail
  community.aws.cloudtrail:
    s3_bucket_name: mylogbucket
    s3_key_prefix: cloudtrail
    region: us-west-2
    enable_logging: false
References
[1] Ansible project contributors community.aws.cloudtrail – manage CloudTrail create, delete, update
[2] Amazon Web Services Security best practices in AWS CloudTrail
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 3.1
[4] Standards Mapping - Common Weakness Enumeration CWE ID 778
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[17] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.iac.yaml.aws_ansible_misconfiguration_insufficient_cloudtrail_logging

AWS Ansible Misconfiguration: Insufficient CloudWatch Logging

Abstract
Ansible タスクは、保持期間のない CloudWatch ログ グループを定義します。
Explanation
デフォルトでは、CloudWatch ログ グループはログを無期限に保持します。保持の値が未指定であることは、適切な構成を設定するために組織のデータ処理ポリシーが参照されていないことを示します。この場合、組織がログ イベントを保存および管理するための、不要なコストが発生する可能性があります。

攻撃者は、長期間にわたって偽のイベント ログを継続的に要求することにより、Denial of Wallet (DoW) 攻撃を開始できます。これは、組織に経済的な影響を与える可能性があります。

例 1: 次の例は、保持ポリシーの定義に失敗した Ansible タスクを示しています。

- name: create a log_group in CloudWatchLogs
  community.aws.cloudwatchlogs_log_group:
    log_group_name: test-log-group
    tags: { "Name": "test-log-group", "Env" : "QA" }
References
[1] Willian Ricardo (@willricardo) community.aws.cloudwatchlogs_log_group – create or delete log_group in CloudWatchLogs
[2] Tal Melamed and Marcin Hoppe OWASP Serverless Top 10 (2017)
[3] AWS AWS Documentation: Working with Log Groups and Log Streams
[4] Daniel Kelly, Frank G.Glavin, Enda Barrett Journal of Information Security and Applications: Denial of wallet—Defining a looming threat to serverless computing
[5] Standards Mapping - Common Weakness Enumeration CWE ID 778
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[7] Standards Mapping - FIPS200 CM
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[18] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Application Misconfiguration
desc.structural.yaml.aws_ansible_misconfiguration_insufficient_cloudwatch_logging

AWS Ansible Misconfiguration: Insufficient Lambda Logging

Abstract
テンプレートは、監査ログが不十分なサービスを定義します。
Explanation
監査記録がないと、セキュリティ関連のインシデントを検出して対応する機能が制限され、フォレンジック調査が妨げられます。

ログ機能を損なう構成設定には次のものが含まれますが、これらに限定されません。
- 監査ログを意図的に無効にする
- 特定のユーザー、グループ、またはプロセスのアクションをログから除外する
- ログの整合性を不適切に保護する
- オプションの監査ログを有効にしない
- ログのサンプリング レートを下げる
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - Common Weakness Enumeration CWE ID 778
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-000172
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AU-10 Non-Repudiation, AU-12 Audit Record Generation
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[10] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[17] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Ansible Misconfiguration: Insufficient RDS Backup

Abstract
構成は、適切なバックアップ設定なしでリソースを設定します。
Explanation
バックアップは、データを損失や破損から保護するために重要です。バックアップ機能を損なう設定には次のものが含まれますが、これらに限定されません。
- データのバックアップを無効にする
- 定期的にデータをバックアップしない
- バックアップの整合性を定期的にチェックしない
- バックアップの保持期間が十分でない
References
[1] Amazon Web Services, Inc. or its affiliates Backup and recovery approaches on AWS
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003109
[3] Standards Mapping - FIPS200 CP
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 CP-9 Information System Backup (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 CP-9 System Backup
[6] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.1.5 General Data Protection (L3)
[8] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 12.10.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 12.10.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 12.10.1
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults
desc.structural.iac.aws.misconfiguration_insufficient_backup.base

AWS Ansible Misconfiguration: Insufficient S3 Backup

Abstract
構成は、適切なバックアップ設定なしでリソースを設定します。
Explanation
バックアップは、データを損失や破損から保護するために重要です。バックアップ機能を損なう設定には次のものが含まれますが、これらに限定されません。
- データのバックアップを無効にする
- 定期的にデータをバックアップしない
- バックアップの整合性を定期的にチェックしない
- バックアップの保持期間が十分でない
References
[1] Amazon Web Services, Inc. or its affiliates Backup and recovery approaches on AWS
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003109
[3] Standards Mapping - FIPS200 CP
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 CP-9 Information System Backup (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 CP-9 System Backup
[6] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.1.5 General Data Protection (L3)
[8] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 12.10.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 12.10.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 12.10.1
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults
desc.structural.iac.aws.misconfiguration_insufficient_backup.base

AWS Ansible Misconfiguration: Insufficient S3 Logging

Abstract
テンプレートは、監査ログが不十分なサービスを定義します。
Explanation
監査記録がないと、セキュリティ関連のインシデントを検出して対応する機能が制限され、フォレンジック調査が妨げられます。

ログ機能を損なう構成設定には次のものが含まれますが、これらに限定されません。
- 監査ログを意図的に無効にする
- 特定のユーザー、グループ、またはプロセスのアクションをログから除外する
- ログの整合性を不適切に保護する
- オプションの監査ログを有効にしない
- ログのサンプリング レートを下げる
References
[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet
[2] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 3.6
[3] Standards Mapping - Common Weakness Enumeration CWE ID 778
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-000172
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AU-10 Non-Repudiation, AU-12 Audit Record Generation
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[11] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Ansible Misconfiguration: Insufficient S3 Monitoring

Abstract
構成は、監視なしのリソースを設定します。
Explanation
違反への対応が遅れると、違反の影響を制限する組織の能力が損なわれます。

監視機能を損なう構成設定には次のものが含まれますが、これらに限定されません。
- 意図的に監視を無効にする
- オプションの監視を有効にしない
- 監視サービスにエクスポートする関連イベントを指定しない
- 特定のユーザー、グループ、プロセス、および地理的領域のアクションを監視から除外する
References
[1] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide
[2] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 4.8
[3] Standards Mapping - Common Weakness Enumeration CWE ID 778
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[19] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_monitoring.base

AWS Ansible Misconfiguration: Insufficient Stack Monitoring

Abstract
構成は、監視なしのリソースを設定します。
Explanation
違反への対応が遅れると、違反の影響を制限する組織の能力が損なわれます。

監視機能を損なう構成設定には次のものが含まれますが、これらに限定されません。
- 意図的に監視を無効にする
- オプションの監視を有効にしない
- 監視サービスにエクスポートする関連イベントを指定しない
- 特定のユーザー、グループ、プロセス、および地理的領域のアクションを監視から除外する
References
[1] Paul Cichonski,Tom Millar,Tim Grance,Karen Scarfone NIST Special Publication 800-61 Revision 2 - Computer Security Incident Handling Guide
[2] Standards Mapping - Common Weakness Enumeration CWE ID 778
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[11] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II
desc.structural.iac.misconfiguration_insufficient_monitoring.base

AWS Ansible Misconfiguration: Missing CloudTrail Log Validation

Abstract
Ansible タスクは、整合性検証なしで CloudTrail ログ ファイルを定義します。
Explanation
デフォルトでは、CloudTrail ログ ファイルの検証は無効になっています。そのため、調査担当者は CloudTrail ログ ファイルが外部から改ざんされていないことを確認できません。

これにより、必要な権限を持つ攻撃者が有害な設定変更を実行し、CloudTrail ログを変更してそれらを非表示にすることが可能になります。

例 1: 次の Ansible タスクは、ログ ファイルの整合性検証なしで CloudTrail 構成をセットアップします。これは、enable_log_file_validation パラメーターがないためです。

- name: create a single region cloudtrail
  community.aws.cloudtrail:
    s3_bucket_name: mylogbucket
    s3_key_prefix: cloudtrail
    region: us-west-2
References
[1] Ansible project contributors community.aws.cloudtrail – manage CloudTrail create, delete, update
[2] Amazon Web Services Validating CloudTrail log file integrity
[3] Amazon Web Services Security at Scale: Logging in AWS
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 3.2
[5] Standards Mapping - Common Weakness Enumeration CWE ID 354
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450, CCI-002451
[7] Standards Mapping - FIPS200 MP
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3)
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2017 A10 Insufficient Logging and Monitoring
[17] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 10.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.3.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.3.2
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[28] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 494
[29] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 494
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.structural.yaml.aws_ansible_misconfiguration_missing_cloudtrail_log_validation.base

AWS Ansible Misconfiguration: Privileged Batch Container

Abstract
構成は、ジョブを実行するための昇格されたアクセス許可を持つコンテナーを設定します。
Explanation
デフォルトでは、コンテナーはほとんどのシステムおよびネットワーク管理操作を実行できません。特権モードでは、そのような制限が解除されます。これにより、悪意のあるジョブの攻撃対象領域が大幅に拡大します。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 250
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[30] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-002360 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.iac.misconfiguration_privileged_container.base

AWS Ansible Misconfiguration: RDS Auto-Upgrade Disabled

Abstract
構成は、ソフトウェアの自動アップグレードをオフにします。
Explanation
既知のソフトウェアの脆弱性にタイムリーにパッチを適用するソフトウェア自動アップグレードは無効になっています。
References
[1] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 2.3.2
[2] Standards Mapping - FIPS200 CM
[3] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[6] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[8] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.3.3
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
desc.structural.iac.misconfiguration_auto_upgrade_disabled.base

AWS Ansible Misconfiguration: RDS Missing Customer-Managed Encryption Key

Abstract
構成は、保存データに対してカスタマーマネージド暗号鍵を指定しません。
Explanation
カスタマーマネージド キーは、保存データの暗号化には使用されません。

デフォルトでは、暗号化が有効になっている場合、AWS は AWS が管理するキーを使用して保存データを暗号化します。カスタマーマネージド キーを使用すると、組織は、選択した暗号鍵を使用してデータを暗号化できます。これにより、組織は暗号化プロセスをより適切に制御し、ログに記録できます。

そのため、カスタマーマネージド キーは通常、次のような要件 (これに限らない) に対処するソリューションの一部です。
- 機密データへのアクセスの監査ログ
- データ所在地
- キーの交換、無効化、または破棄

aws/service-name 形式のキーは、AWS 管理のキー用に予約されていることに注意してください。
References
[1] Amazon Web Services, Inc. or its affiliates AWS Key Management Service Developer Guide
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 3.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
desc.structural.iac.aws.misconfiguration_missing_customer_managed_encryption_key.base

AWS Ansible Misconfiguration: RDS Publicly Accessible

Abstract
Ansible タスクは、パブリック アクセスが可能な Amazon RDS インスタンスを定義します。
Explanation
パブリック アクセスが可能な Amazon RDS インスタンスにより、組織の攻撃対象領域が必要以上に広がります。一般に公開されているサービスは、攻撃者によるほぼ継続的なスキャンとプロービングの対象になります。

例 1: 次の Ansible タスクは、パブリック アクセスが可能な RDS ボリュームをセットアップします。これは、publicly_accessibletrue に設定されているためです。

- name: createdb
  community.aws.rds_instance:
    db_instance_identifier: test-db
    engine: aurora
    instance_type: db.t2.small
    username: "{{ username }}"
    password: "{{ password }}"
    cluster_id: test-cluster
    publicly_accessible: true
References
[1] Sloane Hertel (@s-hertel) community.aws.rds_instance – Manage RDS instances
[2] Amazon Web Services Security in Amazon RDS
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 2.3.3
[4] Standards Mapping - Common Weakness Enumeration CWE ID 749
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.yaml.aws_ansible_misconfiguration_rds_publicly_accessible.base

AWS Ansible Misconfiguration: Reduced CloudFront Availability

Abstract
構成は、サービスの可用性を低下させます。
Explanation
クラウド サービスは通常、サービスのスケーラビリティを促進し、コンテンツをより速く配信し、ボリューム攻撃の影響を軽減するために、キャッシュ、レプリケーション、負荷分散などの技術を使用します。可用性機能が無効になっているか、誤って構成されていると、サービスのパフォーマンスが低下しますが、多くの場合、トラフィックの急増やハードウェア障害などの極端なイベントが発生するまで、すぐには影響が現れません。
References
[1] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[2] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[3] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[4] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[6] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[16] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
desc.structural.iac.misconfiguration_reduced_availability.base

AWS Ansible Misconfiguration: Reduced EC2 Availability

Abstract
構成は、サービスの可用性を低下させます。
Explanation
クラウド サービスは通常、サービスのスケーラビリティを促進し、コンテンツをより速く配信し、ボリューム攻撃の影響を軽減するために、キャッシュ、レプリケーション、負荷分散などの技術を使用します。可用性機能が無効になっているか、誤って構成されていると、サービスのパフォーマンスが低下しますが、多くの場合、トラフィックの急増やハードウェア障害などの極端なイベントが発生するまで、すぐには影響が現れません。
References
[1] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[2] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[3] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[4] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[6] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[16] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
desc.structural.iac.misconfiguration_reduced_availability.base

AWS Ansible Misconfiguration: Reduced ELB Availability

Abstract
構成は、サービスの可用性を低下させます。
Explanation
クラウド サービスは通常、サービスのスケーラビリティを促進し、コンテンツをより速く配信し、ボリューム攻撃の影響を軽減するために、キャッシュ、レプリケーション、負荷分散などの技術を使用します。可用性機能が無効になっているか、誤って構成されていると、サービスのパフォーマンスが低下しますが、多くの場合、トラフィックの急増やハードウェア障害などの極端なイベントが発生するまで、すぐには影響が現れません。
References
[1] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[2] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[3] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[4] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[6] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[16] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
desc.structural.iac.misconfiguration_reduced_availability.base

AWS Ansible Misconfiguration: Weak IAM Password Policy

Abstract
構成は、脆弱なパスワードを許可します。
Explanation
認証はセキュリティの重要な側面です。認証プロセスの信頼性は、ログイン資格情報の安全性と強度によって決まります。ユーザーが強力なパスワードを作成できるようにするパスワード ポリシーは、安全な Web サイトを展開するために重要です。パスワードの強度は、推測やブルート フォース攻撃に対するパスワードの有効性の尺度となります。パスワードの強度の定義に役立つ要素には、パスワードの長さ、複雑さ、ランダム性などの特性が含まれます。
References
[1] National Institute of Standards and Technology (NIST) NIST Special Publication 800-63B: Digital Identity Guidelines
[2] Open Web Application Security Project (OWASP) Authentication Cheat Sheet
[3] Standards Mapping - Common Weakness Enumeration CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[17] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[18] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[21] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[22] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_password_policy.base